Hi all, To restrict a directory I went the .htaccess/.htpasswd route. But with different access levels, which I thought I could accomplish with the following php code $auth_ok = 0; $user = $_SERVER['PHP_AUTH_USER']; if (isset($user)){ if ($user == "mike" || $user == "clark"){ $auth_ok = 1; $auth = "1"; } if ($user == "john" ){ $auth_ok = 1; $auth = "2"; } } if(!$auth_ok){ sleep(1); header('WWW-Authenticate: Basic realm="Restricted Access"'); header("HTTP/1.0 401 Unauthorized"); echo "<h1>Sorry!</h1>"; echo "No access for you."; exit; } PHP: But now I notice that .htpasswd isn't called, like if I use Mike and different passwords, user Mike has access to his part of the directory. Somehow .htpasswd isn't used?? Anyone knows a solution?
When Apache is serving pages from a directory, it looks at the .htaccess for any restrictions and redirections. If its authentication is required, where the .htaccess file contains lines such as: The Apache will authenticate the user before starting to work on the page. It is only then it will deal with the page, handing your's over to the PHP engine for processing. This is not going to work if you have not used Apache's htpasswd program to create the "/full_path_to/htpasswd-generated-file" file. This does not mean that you cannot determine whether or not a user has the capacity to view a specific page . . even though Apache says they are OK to view all pages in a specific directory. You can define your own access levels to logged in users and programatically allow or deny them to view specific pages . . . though I would not use a 401 error to accomplish this.
I am not quit following you I do have a .htacces with AuthUserFile /www/path-to/.htpasswd AuthName 'Members only' AuthType Basic require valid-user Code (markup): And I wish to make difference between authorized members within a specific page. For this I use if ($auth == "1") { } if ($auth == "2") { } PHP: Why wouldn't you use a 401 error page?Isn't that clear enough for users? Edit Or do you mean this part of my code $user = $_SERVER['PHP_AUTH_USER']; by which I am trying to get the authorized $username from the htacces
In response to your queries. First, a question: is there a file called /www/path-to/.htpasswd and was that created using Apache's htpasswd program? If the answer is no, then Apache authentication will not work and there will be no value for $_SERVER['PHP_AUTH_USER']; Apache authentication is not used to create user levels per se. It simply allows or disallows access to files in a directory based on whether someone has the correct user name and password. Once the user passes that test, their name will be contained in $_SERVER['PHP_AUTH_USER'] and you can, as you propose, decide whether or not that person has access to a specific page in your site. Your code should work. Having said that, people normally implement complex authentication methods and access levels programmatically, using databases. They do not normally use Apache's very basic authentication scheme. Use of a 401 error is a matter of taste. It is simply not the way I would handle the issue. I would display a friendly error and/or up-marketing page with navigational links for registered users.